This question exists because it has historical significance, but it is not considered a good, on-topic question for this site, so please do not use it as evidence that you can ask similar questions here. This question and its answers are frozen and cannot be changed. More info: help center.

As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
If this question can be reworded to fit the rules in the help center, please edit the question.

the 60 answers and 28 upvotes would seem to outweigh the 5 votes to close (that took all day to accumulate, AFAIK). but I will refrain from voting to reopen until this has been discussed.
–
rmeadorSep 24 '09 at 22:57

7

Even if your question has been community wiki for hours, the comment is still a good comment to upvote, as it reminds people that questions similar to this one should be community wiki. That's what I think.
–
JorenSep 25 '09 at 19:44

163 Answers
163

Getting a 90% discount by entering .1 in the quantity field of the shopping cart. The software properly calculated the total cost as .1 * cost, and the human packing the order simply glossed over the odd "." in front of the quantity to pack :)

Jeff Bezos mentioned that in the very early days of Amazon, you could have a negative quantity of books and Amazon would credit your account (and presumably wait for you to ship it to them). See 0:47 at youtube.com/watch?v=-hxX_Q5CnaA
–
Jeff MoserSep 29 '09 at 20:18

10

Would have loved to see the face of the customer who actually got delivered the .1 harddrives he paid for.
–
reletJul 16 '10 at 12:47

It's amazing how many pages on the Internet, government sites in particular, pass an SQL query through the query string. It's the worst form of SQL injection, and it takes no effort at all to find vulnerable sites.

With minor tweaks, I've been able to find unprotected installations of phpMyAdmin, unprotected installations of MySQL, query strings containing usernames and passwords, etc.

<Cthon98> hey, if you type in your pw, it will show as stars
<Cthon98> ********* see!
<AzureDiamond> hunter2
<AzureDiamond> doesnt look like stars to me
<Cthon98> <AzureDiamond> *******
<Cthon98> thats what I see
<AzureDiamond> oh, really?
<Cthon98> Absolutely
<AzureDiamond> you can go hunter2 my hunter2-ing hunter2
<AzureDiamond> haha, does that look funny to you?
<Cthon98> lol, yes. See, when YOU type hunter2, it shows to us as *******
<AzureDiamond> thats neat, I didnt know IRC did that
<Cthon98> yep, no matter how many times you type hunter2, it will show to us as *******
<AzureDiamond> awesome!
<AzureDiamond> wait, how do you know my pw?
<Cthon98> er, I just copy pasted YOUR ******'s and it appears to YOU as hunter2 cause its your pw
<AzureDiamond> oh, ok.

You haven't known fear until the day you wake up and see the headline on ZDNet.com that morning is "Worst Internet Explorer Security Hole Ever Has Been Discovered In 'Blah'" where 'Blah' is code you wrote yourself six months previously.

Immediately upon getting to work I checked the change logs and discovered that someone on another team -- someone we trusted to make changes to the product -- had checked out my code, changed a bunch of the security registry key settings for no good reason, checked it back in, and never got a code review or told anyone about it. To this day I have no idea what on earth he thought he was doing; he left the company shortly thereafter. (Of his own accord.)

(UPDATE: A few responses to issues raised in the comments:

First, note that I choose to take the charitable position that the security key changes were unintentional and based on carelessness or unfamiliarity, rather than malice. I have no evidence one way or the other, and believe that it is wise to attribute mistakes to human fallibility.

Second, our checkin systems are much, much stronger now than they were twelve years ago. For example, it is now not possible to check in code without the checkin system emailing the change list to interested parties. In particular, changes made late in the ship cycle have a lot of "process" around them which ensures that the right changes are being made to ensure the stability and security of the product.)

Anyway, the bug was that an object which was NOT safe to be used from Internet Explorer had been accidentally released as being marked "safe for scripting". The object was capable of writing binary files -- OLE Automation type libraries, in fact -- to arbitrary disk locations. This meant that an attacker could craft a type library that contained certain strings of hostile code, save it to a path that was a known executable location, give it the extension of something that would cause a script to run, and hope that somehow the user would accidentally run the code. I do not know of any successful "real world" attacks that used this vulnerability, but it was possible to craft a working exploit with it.

We shipped a patch pretty darn quickly for that one, let me tell you.

I caused and subsequently fixed many more security holes in JScript, but none of them ever got anywhere near the publicity that one did.

Arguably, this is actually 2 security exploits; the other one being how to get code onto a production build server without anyone noticing / approving the change ;-p
–
Marc Gravell♦Sep 24 '09 at 11:30

80

"Never attribute to malice that which can be adequately explained by stupidity." -- Hanlon's Razor
–
David R TribbleSep 24 '09 at 22:27

15

There is no one source control system mandated for use across Microsoft. Most teams these days either use Source Depot or Team Foundation. Unsurprisingly, the Visual Studio product teams generally use Team Foundation. Eat your own dogfood, you know.
–
Eric LippertOct 10 '09 at 21:11

@Kristof - I'm guessing he means the fact that the last user gets a list of ALL the users and passwords. :)
–
Don BransonSep 24 '09 at 10:51

141

I absolutely loathe systems that email me back my password as part of the registration process. This has two flaws: 1. They're storing my plaintext password somewhere within their system. If not their permanent user database, definitely their registration processing system. 2. It was sent via EMAIL, either plain text or HTML, SMTPing its way through mail relays across the internet. There's a number of men-in-the-middle which could intercept this. At the very least, if you feel the need to send me emails with secure information, let me specify my public PGP key to you to encrypt it!
–
Jesse C. SlicerSep 24 '09 at 15:06

16

I used MD5 hashes to protect the passwords in a database once. But after I ran the results though a rainbow table and matched about 50% of the passwords... I figured it was a good time to add a salt.
–
Matthew WhitedSep 24 '09 at 18:30

The old IBM System 36 dumb terminals had a keyboard combination that started the recording of a macro. So when a terminal was not logged in, you could start the recording of a macro and leave it in that position. Next time someone logged in, the keystrokes would be recorded in the macro and the recording would end automatically when maximum allowed keys was recorded. Just come back later and replay the macro to autolog-in.

The worst security hole I've ever seen was actually coded by yours truly and caused the Google Bot to delete my entire database.

Back when I was first learning Classic ASP, I coded my own basic blog application. The directory with all the admin scripts was protected by NTLM on IIS. One day I moved to a new server and forgot to re-protect the directory in IIS (oops).

The blog home page had a link to the main admin screen, and the main admin screen had a DELETE LINK for each record (with no confirmation).

One day I found every record in the database deleted (hundreds of personal entries). I thought some reader had broke into the site and maliciously deleted every record.

I came to find out from the logs: The Google Bot had crawled the site, followed the admin link, and the proceeded to follow all the DELETE LINKS, thereby deleting every record in the database. I felt I deserved the Dumbass of the Year award getting inadvertently compromised by the Google Bot.

@recursive: true, but if the directory is not password-protected, it doesn't stop a human deleting everything.
–
DisgruntledGoatJan 18 '10 at 0:39

2

I've had this problem with browser plugins that prefetch links. I once worked for a blogging site, and we were puzzled for days when one user reported that all comments on her blog would mysteriously vanish.
–
MatthewMar 13 '10 at 2:47

7

No, you didn't deserve that award. You would have deserved it if this had happened and you didn't have backups.
–
KyralessaDec 22 '10 at 23:16

I've seen such code. That is usually because the user lookup use a LIKE, as in "SELECT * FROM [User] Where UserName LIKE '%" + userName + "%'". And since the administrator is typically the first user in the database, it return that user.
–
Pierre-Alain VigeantSep 24 '09 at 17:34

11

why would you do a LIKE with a username?... so I could be admin by typing adm when I ment to type Adam
–
Matthew WhitedSep 24 '09 at 18:27

20

Most companies give you three attempts to log in under a given user-ID before they lock out the account. So it's trivially easy to lock out someone elses account with three bad passwords.
–
David R TribbleSep 24 '09 at 22:38

I think this may be not as stupid as you think. This trivial password might work like the button "yes, I am from the federal governemnt" with the difference that a person who tries to misuse it, if caught, can also be prosecuted for "providing false credentials" (or how they call it?)
–
ilya n.Sep 24 '09 at 10:20

Don't worry, as long as the web site is copyrighted, the DMCA provides 100% protection. You're not allowed to "circumvent" the Javascript.
–
Steve HanovSep 24 '09 at 13:33

13

@Steve Hanov: You have an interesting definition of "circumvent" If I type that url into my browser... or even copy/paste it... I'm not bypassing anything, I'm just using my browser to go to an address I put in my address bar. Which is one of the intended purposes of a web browser.
–
PowerlordSep 24 '09 at 13:39

@ICodeForCoffee: where's the SQL injection here? This is just confusing the purposes of GET vs POST. It's a fairly common mistake by novice web devs. I recall reading a Daily WTF article about this exact problem.
–
rmeadorSep 24 '09 at 15:24

14

The real problem here is the Googlebot could wipe the database without ever authenticating.
–
MiffTheFoxNov 30 '09 at 14:57

34

Hope they were able to retrieve them from google cache.
–
fastcodejavaJun 6 '10 at 5:03

Summary: malicious users can buy a few dozen flash drives, load them with an auto-run virus or trojan, then sprinkle said flash drives in a company's parking lot late at night. Next day, everyone shows up to work, stumble on the shiny, candy-shaped, irresistable hardware and say to themselves "oh wow, free flash drive, I wonder what's on it!" -- 20 minutes later the entire company's network is hosed.

@mmyers: banning flash drives is not the good approach. Break the autorun/autoplay.
–
JaySep 25 '09 at 12:54

10

Read some time ago, another approach (from the floppy disk times). Live a boot infected floppy disk labeled "Accounting data - confidential" in a corridor of the office and wait 5 minutes. Irresistible!
–
RodrigoSep 25 '09 at 15:03

13

Fortunately, I can always boot up from a Linux Live CD and examine the flash drive from there.
–
David ThornleyOct 2 '09 at 17:28

6

@Jay - Unfortunately, how many people would look at the files and then double click on them "to see what they do"? Banning is a necessity many of times because people don't think.
–
JasCavMar 15 '10 at 16:09

If you enter your password incorrectly a third time, you are asked if you have forgotten your password.

But instead of having security, like continuing to prompt for the correct password until it's entered or locking you out after a number of incorrect attempts, you can enter any new password and it will replace the original one! Anyone can do this with any password "protected" Microsoft Bob account.

There is no prior authentication required.
his means User1 could change their own password just by mistyping their password three times then entering a new password the fourth time -- never having to use "change password."

It also means that User1 could change the passwords of User2, User3... in exactly the same way. Any user can change any other user's password just by mistyping it three times then entering a new password when prompted -- and then they can access the account.

This is the same behavior as Windows itself when a computer is not administered by a domain. Even on Windows Vista Ultimate, you can reset a password at any time. I am guessing that denial-of-service is considered a bigger threat than unauthorized access; especially since you can get most stuff just by re-mounting the drive elsewhere anyway. I believe the purpose of the password in this case is for intrusion detection rather than prevention.
–
Jeffrey L WhitledgeNov 4 '09 at 8:57

8

Someone wiser than me pointed out this is just good threat modeling. 'Bob' was for home use in an non-networked era and you were FAR more likely to suffer an attempted DOS from your little sister or a hangover than from some burglar. Bob let you know that your account had been accessed (because your old password no longer worked) but didn't try to do more.
–
bgilesMay 3 '10 at 16:51

@ChristianWimmer - Sounds kind of like giving people a backpack marked "Parachute" so they get used to the feel of one on their back, but without telling them there is no parachute in there.
–
JohnFxOct 25 '10 at 21:21

I had Joe X's former home address, and needed to know his newer current address in the same city, but had no way to contact him. I figured he was receiving the usual daily pile of mail order catalogs, so I arbitrarily called the 800 number for See's Candies (as opposed to Victoria's Secret, or Swiss Colony, or any other big mailer):

Me: "Hi, I'm Joe X. I think you've got me on your mailing list twice, at both my old address and my new address. Does your computer show me at [old address] or at [fake address]?"

Being an application security consultant for a living there are lots of common issues that let you get admin on a website via something. But the really cool part is when you can buy a million dollars worth of socks.

It was a friend of mine working on this gig but the jist of it was that prices for items in a certain now very popular online book (and everything else) shop were stored in the HTML itself as a hidden field. Back in the early days this bug bit a lot of online stores, they were just starting to figure out the web. Very little security awareness, I mean really who is going to download the HTML, edit the hidden field and resubmit the order?

Naturally we changed the price to 0 and ordered 1 million pairs of socks. You could also change the price to negative but doing this made some part of their backend billing software buffer overflow ending the transaction.

If I could choose another it would be path canonicalization issues in web applications. It's wonderful to be able to do foo.com?file=../../../../etc/passwd

The order went through and the fulfillment system alerted the warehouse. We realized it probably worked and told our point of contact that they should stop the order. Apparently a bit later a warehouse manager called in asking about the order to be sure it was real. He was wisely of the mind that it was a software error.
–
CollinSep 24 '09 at 21:06

Been down this road. Many systems (like django, for example) practically encourage this, since they ask you to put your DB password into the settings file, which naturally, is very easy to check in.
–
mlissnerApr 18 '11 at 3:46

or leaving the factory defaults like admin/admin (as well or especially in the hardware)...
–
GnarkSep 24 '09 at 11:29

47

I've got one worse -- I left a university after having been strung along, with the directory telling me they were creating a higher grade job for me after I had graduated, but I later found out he told my manager they were not to promote me. Needless to say, I wasn't happy about it. I specifically told my manager to change every password I had access to. The week after I left, I get an e-mail from my manager with the root password, 'just in case I needed it'. I contacted the sysadmin to make sure it was changed again, as I didn't want to take the fall if something went wrong.
–
JoeSep 24 '09 at 13:53

10

@Sophomore: I recall in Feynman's biography him commenting that many of the giant, ultra-secure safes housing the Manhattan project secrets were left in the default combinations.
–
BrianSep 24 '09 at 19:48

12

I can just imagine a USSR spy getting to the safe and trying everything he can think of to crack the safe, "Damn! I can't crack it. Wouldn't it be funny if I could just...wow, score one for Mother Russia!"
–
EricSep 30 '09 at 23:09

3

Can't smile while reading this, I was working as an IT technician a summer at a very well known swedish company, and when I returned several years later to work as an engineer, I had some problem installing some software. Out of blue I remebered the old admin password, and voila! it worked =)
–
Viktor SehrApr 9 '10 at 16:05

Though this is not the worst security hole I’ve ever seen. But this is at least the worst I’ve discovered myself:

A pretty successful online shop for audiobooks used a cookie to store the identification information of the current user after successful authentication. But you could easily change the user ID in the cookie and access other accounts and purchase on them.

Right at the start of the .com era, I was working for a large retailer overseas. We watched with great interest as our competitors launched an online store months before us. Of course, we went to try it out... and quickly realized that our shopping carts were getting mixed up. After playing with the query string a bit, we realized we could hijack each other's sessions. With good timing, you could change the delivery address but leave the payment method alone... all that after having filled the cart with your favorite items.

When I first joined the company I currently work at, my boss was looking over the existing e-commerce web site of a prospective new client. This was in the fairly early days of both IIS and e-commerce, and security was, shall we say, less than stringent.

To cut a long story short, he altered a URL (just out of curiosity), and realised that directory browsing wasn't turned off, so you could just cut the page name off the end of the URL and see all the files on the web server.

We ended up browsing a folder containing an Access database, which we downloaded. It was the entire e-commerce customer/order database, replete with several thousand unencrypted credit card numbers.

This was nearly twelve years ago, when data-driven web sites were a cutting-edge novelty; many sites ran against Access or similar, because no-one wanted to invest in a SQL Server license for something that was seen as an 'aside' to their core business. How things have changed!
–
Mark BellJan 18 '12 at 9:28

When I was 13 years old my school opened a social network for the students. Unfortunately for them I found a security bug where you could change the URI to another userID like "?userID=123" and become logged in for that user. Obviously I told my friends, and in the end the schools social network was filled with porn.

Mine would be for a bank I was a customer of. I wasn't able to log on, so I called customer service. They asked me for my user name and nothing else - didn't ask any security questions or try to verify my identity. Then instead of sending a password reset to the email address they had on file, they asked me what email address to send it to. I gave them an address different than what I had on file, and was able to reset my password.

So essentially, all a hacker would need is my user name, and he could then access my account. This was for a major bank that at least 90% of people in the United States would have heard of. This happened about two years ago. I don't know if it was a poorly trained customer service rep or if that was standard procedure.

@Si: it writes 'I WAS a customer of...'. I think that answers the question. :)
–
ShdNxSep 24 '09 at 10:53

8

This was Washington Mutual, which was seized by the FDIC and sold to Chase early this year. They also had strange error messages. When I tried to set my password from the temp one I kept getting a "Passwords don't match" error, even though they were the same and I even copy/pasted. I realized that if I put "invalid characters" like a forward slash, instead of saying invalid characters, it would give me that other message.
–
SeanSep 24 '09 at 19:44

11

@Elizabeth: Uhm... you realize that's to prevent phishing right? If someone tries to copy or mimic the bank website it can look exactly the same, but presumably they don't have access to the database, so they can't pull up the right security picture. That's why that's there. Not all users are smart enough to check the cert (which might be similarly bluffed)
–
MarkSep 26 '09 at 2:20

Years and years and years ago the company I was working for wanted indexing on their ASP web site. So off I went and set up Index Server, excluded a few admin directories and all was good.

However unknown to me someone had given a sales person ftp access to the web server so he could work from home, this was the days of dialup and it was the easiest way for him to swap files.... and he started uploading things, including documents detailing the markup on our services.... which index server indexed and starting serving up when people searched for "Costs".

I think "whitelists not blacklists", while often good advice, is not the correct lesson to learn here. The correct lesson is "don't put private data on a public server". Also, "don't let sales people access the server".
–
rmeadorSep 24 '09 at 15:23

7

Oh, the harmony between the answer and the avatar.
–
çağdaşOct 6 '09 at 15:24

Payment systems that use engines such as PayPal can be flawed because the response back from PayPal after payment was successful is not checked as it should be.

For example:

I can go on to some CD purchase website and add some content to the cart, then during the checkout stages there's usually a form on the page that has been populated with fields for paypal, and a submit button to "Pay"..

Using a DOM Editor I can go into the form "live" and change the value from £899.00 to £0.01 and then click submit...

When I'm on the PayPal side of things I can see that the amount is 1 penny, so I pay that and PayPal redirects some parameters to the initial purchase site, who only validates parameters such as payment_status=1, etc., etc. and do not validate the amount paid.

This can be costly if they do not have sufficient logging in place or products are automatically dispatched.

The worst kind of sites are sites who deliver applications, software, music, etc.

+1 Agreed. In the hosted payment page situation the originating website should not allow the user to drive values to be posted; instead the page should post back to itself upon user click and then the server formulate and send a post op to the payment "gateway" directly with appropriate values. It all depends on what the gateway expects and how interactions can be made with it, but I cannot see any gateway worth its salt not having a more secure scenario than what you described. Maybe I'm wrong though.
–
John KOct 23 '10 at 20:29